If you use a PC running on Windows 8.1 or later, it comes with a built-in Windows password manager called Credential Manager. The Credential Manager not only saves passwords, but also Windows credentials for connecting automatically with a home or work network, certificate-based credentials for Smart Card logins, and generic credentials for allowing Microsoft apps such as OneDrive, Slack, and Xbox Live to use your PC´s resources.
However, the Credential Manager is inconsistent in automatically saving and retrieving passwords and does not let you manually add or edit passwords. Consequently, most people don´t use the Credential Manager for password management, but rather browser-based password managers such as Edge, Firefox, or Chrome. These are easier to use, give you the option to save passwords for some accounts but not others, and can be configured to alert you to weak or compromised passwords.
The problem with browser-based passwords is that they are browser-specific; so, although you can sync passwords, credit card details, and other saved data across devices, you have to be using the same browser on all your devices to access your passwords. If, for example, you use Edge on your Windows PC, and Chrome on your Android smartphone, your credentials won´t sync and you will have to use two browser-based password mangers to be able to log into accounts from all devices.
A potentially more serious concern with browser-based password managers is that you are not automatically logged out of your browser at the end of a session. If an unauthorized third party gains access to your PC or mobile device – either physically or remotely – they can see all your passwords, credit card details, and other saved data. Furthermore, two-factor authentication won´t necessarily prevent a data breach because the authentication code is likely sent to the same device.
Vault-Based Password Managers for Windows
Vault-based password managers for Windows are web-based solutions that can be accessed from most browsers. Some vendors also provide desktop and mobile apps so you can access credentials offline. One of the primary advantages of vault-based Windows password managers is that data is synchronized in the cloud regardless of which device, operating system, or browser you are using. They also log you out of your vault at the end of each session or after a period of inactivity.
From a user´s perspective, the big difference between a browser-based password manager and a vault-based password manager for Windowsis that you have to log into your vault at the start of each session in order for the password manager to autofill login credentials, credit card details, and other saved data. This means you have to remember a master password to access all your other passwords, whereas with a browser-based password manager you don´t have to.
The inconvenience of remembering and logging in with a master password is overshadowed by the benefits of vault-based password managers for Windows. For example, vault-based password managers enable you to share passwords securely rather than send them via email, SMS, or chat app. They also have more advanced dark web monitoring capabilities and will alert you to any saved credential (i.e., usernames, credit cards, etc.) that have been compromised in a data breach.
The capabilities of vault-based password managers for Windows can vary considerably depending on whether you are using a free version, premium version, or business version of the software. Readers looking for a password manager for Windows for personal use should check out our 5 Best Free Password Managers – some of which can be configured to use Windows Hello rather than a master password. The best Windows password managers for business are compared below.
The Best Windows Password Managers for Business
The best Windows password managers for business tend to have similar basic features inasmuch as a vault is allocated for each employee. Employees can be combined into groups according to their role, location, or other attribute, and system administrators can apply password policies, role-based access controls, and two-factor authentication for business-critical accounts by group. Admins can also share corporate passwords between groups (i.e., for marketing, finance, and IT teams).
Beyond the basic features, there are significant differences that can influence a business´s decision to adopt one password manager over another. For example, several don´t offer native Linux support (i.e., Password Boss), provide vaults that enable employees to isolate personal data from corporate data (i.e., LastPass), or facilitate remote emergency access in the event of employee non-availability (i.e., 1PassWord and NordPass). Few are transparent about the cost of enterprise business plans.
Of the vendors who are transparent about the cost of enterprise business plans, Psono stands out on price. This open source password manager for Windows has four business plans including a feature-limited free plan for unlimited users, a fully-featured free plan for teams of up to ten users, a self-hosted enterprise plan, and a cloud-hosted enterprise plan. Psono also offers multilayer transport encryption, password capture, and PGP encryption for encrypted emails.
Slightly more expensive than Psono is Bitwarden. Bitwarden is also built on open-source software and, as it is a more mature Windows password manager, it has several more features. For example, administration of the Bitwarden platform is more instinctive, it supports more browsers than Psono and more authenticator apps than Psono, and employees can unlock their vaults using biometrics or Windows Hello. Bitwarden also enables businesses to customize management roles.
The Keeper password manager has two business plans – one which is on a price par with Psono´s cloud-hosted option, but with fewer features, and an enterprise plan for which you have to contact sales to find out the price. However, the Keeper enterprise plan looks pretty good with features such as automated team management, email auto-provisioning (for onboarding large numbers of users), and customizable API/command line provisioning for management tasks such as password rotation.
Moving up the price points (considerably), Dashlane offers similar features to Bitwarden with the addition of mass enterprise deployment, free premium family accounts for all employees, and free email support. However, as Bitwarden offers free personal accounts to everybody, Dashlane´s free premium family accounts may not be worth the 60% price difference (although system administrators will likely prefer the more user-friendly interface).
At the top of the price scale is LogMeOnce. LogMeOnce actually advertises an Enterprise plan on a par with Psono, but it is extremely feature-limited. If you want multi-factor authentication, advanced password policies, or leaked password monitoring, you have to pay for them. Support also comes at a premium and every time an employee uses an SMS-based authentication method, the business is charged for the costs of the SMS. Clearly security comes at a price at LogMeOnce!
Conclusion
There is a saying that “in this world, you get what you pay for”. That´s not the case with Windows password managers for business and it can pay to shop around, take advantage of free trials, and evaluate each password manager in your own environment. It is always better to ensure the password manager is easy to administer and that employees understand how to use it in order to prevent configuration errors or employees circumnavigating the password manager´s security controls.